US20070168284A1 - Management of encrypted storage media - Google Patents

Management of encrypted storage media Download PDF

Info

Publication number
US20070168284A1
US20070168284A1 US11330409 US33040906A US2007168284A1 US 20070168284 A1 US20070168284 A1 US 20070168284A1 US 11330409 US11330409 US 11330409 US 33040906 A US33040906 A US 33040906A US 2007168284 A1 US2007168284 A1 US 2007168284A1
Authority
US
Grant status
Application
Patent type
Prior art keywords
data
storage sub
encrypted
unit
units
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US11330409
Inventor
Michael Factor
Dalit Naor
Adam Wolman
Aviad Zlotnick
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
International Business Machines Corp
Original Assignee
International Business Machines Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database

Abstract

A method for use of a physical data storage medium, the method including receiving a first read request for data stored in any of a plurality of storage sub-units on a physical data storage medium, and decrypting the requested data if an indicator associated with the requested data storage sub-unit indicates that data in the requested storage sub-unit is encrypted.

Description

    FIELD OF THE INVENTION
  • The present invention relates to data storage in general, and more particularly to management of encrypted storage media.
  • BACKGROUND OF THE INVENTION
  • Data stored at a primary data operations site on physical data storage media, such as hard disks, are often copied to other physical data storage media at a point in time, with the copy being transported to a secondary data operations site at a remote location, such as for backup or disaster recovery purposes. Recent incidents involving loss or theft of such copies during transport have highlighted the need for security measures, such as encrypting the data on the copy prior to transport, possibly with multiple encryption keys. Unfortunately, such measures prevent the copy from “going live” at the remote site immediately upon arrival, as current techniques require that the copy be fully decrypted before use. Such a delay is particularly significant where data processing involving the copied data is suspended at the primary site until the secondary site data go live, such as where the data at both sites are to be synchronized with each other. Furthermore, it is often desirable to encrypt data on data storage devices even if the data storage device is not meant to be transported. It would thus be desirable to be able to efficiently determine the encryption state of the data and the keys used to encrypt the data.
  • SUMMARY OF THE INVENTION
  • The present invention discloses a system and method for secure transfer of physical data storage media and use thereof.
  • In one aspect of the present invention a method is provided for use of a physical data storage medium, the method including receiving a first read request for data stored in any of a plurality of storage sub-units on a physical data storage medium, and decrypting the requested data if an indicator associated with the requested data storage sub-unit indicates that data in the requested storage sub-unit is encrypted.
  • In another aspect of the present invention the method further includes encrypting the data in the plurality of storage sub-units on the physical data storage medium.
  • In another aspect of the present invention the encrypting step includes encrypting data in a plurality of the storage sub-units with a plurality of keys.
  • In another aspect of the present invention the encrypting step is performed at a first physical location, and where the receiving and decrypting steps are performed at a second physical location.
  • In another aspect of the present invention the method further includes setting an indicator for each of the data storage sub-units indicating if data in the data storage sub-unit is encrypted.
  • In another aspect of the present invention the method further includes transporting the encrypted physical data storage medium to a second physical location.
  • In another aspect of the present invention the setting step includes setting the indicator within a vector having a plurality of indices, where each index corresponds to one of the data storage sub-units on the physical data storage medium.
  • In another aspect of the present invention the method further includes writing the decrypted data to the data storage sub unit and setting the requested data storage sub-unit's indicator to indicate that the data in the requested storage sub-unit are not encrypted.
  • In another aspect of the present invention the method further includes receiving a second read request for the data stored in the data storage sub-unit for which the first read request was previously received, and providing the previously-decrypted data responsive to the second read request.
  • In another aspect of the present invention the method further includes reencrypting any of the data with a new key concurrently with performing any of the steps.
  • In another aspect of the present invention a method is provided for use of a physical data storage medium, the method including encrypting, at a first physical location, data for storage in a plurality of storage sub-units on a physical data storage medium, transporting the encrypted physical data storage medium to a second physical location, receiving a first read request for data stored in any of the data storage sub-units on the encrypted physical data storage medium, and decrypting the requested data if an indicator associated with the requested data storage sub-unit indicates that data in the requested storage sub-unit is encrypted.
  • In another aspect of the present invention the encrypting step includes encrypting data in the plurality of the storage sub-units with a plurality of keys.
  • In another aspect of the present invention the method further includes setting an indicator for each of the data storage sub-units indicating if data in the data block is encrypted.
  • In another aspect of the present invention the method further includes transporting the indicators to the second physical location in association with the encrypted physical data storage medium.
  • In another aspect of the present invention the setting step includes setting the indicator within a vector having a plurality of indices, where each index corresponds to one of the data storage sub-units on the physical data storage medium.
  • In another aspect of the present invention the method further includes setting the requested data storage sub-unit's indicator to indicate that the data in the requested storage sub-unit are not encrypted.
  • In another aspect of the present invention the method further includes receiving a second read request for the data stored in the data storage sub-unit for which the first read request was previously received, and providing the previously-decrypted data responsive to the second read request.
  • In another aspect of the present invention the method further includes decrypting any of the data concurrently with performing any of the steps and before read requests are received for the data.
  • In another aspect of the present invention the concurrent decryption step includes decrypting any of the data in storage sub-units adjoining or located in the vicinity of storage sub-units for which read requests were received.
  • In another aspect of the present invention the method further includes reencrypting any of the data with a new key concurrently with performing any of the steps.
  • In another aspect of the present invention a system is provided for secure use of physical data storage media, the system including an at least partially encrypted data storage medium storing data in any of a plurality of storage sub-units, a plurality of indicators, each indicator corresponding to one of the storage sub-units and indicating whether data in the storage sub-unit is encrypted, and a storage control unit configured to receive read requests for data stored in one of the storage sub-units on the encrypted data storage medium prior to the data storage medium being decrypted, consult the block's corresponding indicator to determine whether the requested data is encrypted, and decrypt the data if the requested data is encrypted.
  • In another aspect of the present invention the data in at least two of the storage sub-units are encrypted with different keys.
  • In another aspect of the present invention the storage control unit is further configured to write the decrypted data to the data storage sub unit and set the requested data storage sub-unit's indicator to indicate that the data in the requested storage sub-unit are not encrypted.
  • In another aspect of the present invention the storage control unit is further configured to receive a second read request for the data stored in the data storage sub-unit for which the first read request was previously received, and provide the previously-decrypted data responsive to the second read request.
  • In another aspect of the present invention the storage control unit is further configured to reencrypt any of the data with a new key concurrently with performing any of the steps.
  • In another aspect of the present invention the storage control unit is further configured to decrypt any of the data concurrently with performing any of the steps and before read requests are received for the data.
  • In another aspect of the present invention the storage control unit is further configured to decrypt any of the data in storage sub-units adjoining or located in the vicinity of storage sub-units for which read requests were received.
  • In another aspect of the present invention the system further includes reencrypting any of the data with a new key concurrently with performing any of the steps.
  • In another aspect of the present invention a computer-implemented program is provided embodied on a computer-readable medium, the computer program including a first code segment operative to receive a first read request for data stored in any of a plurality of storage sub-units on a physical data storage medium, and a second code segment operative to decrypt the requested data if an indicator associated with the requested data storage sub-unit indicates that data in the requested storage sub-unit is encrypted.
  • BRIEF DESCRIPTION OF THE DRAWINGS
  • The present invention will be understood and appreciated more fully from the following detailed description taken in conjunction with the appended drawings in which:
  • FIG. 1 is a simplified conceptual illustration of a system for secure transfer of physical data storage media and use thereof, constructed and operative in accordance with a preferred embodiment of the present invention;
  • FIG. 2 is a simplified flowchart illustration of an exemplary method of operation of the system of FIG. 1, operative in accordance with a preferred embodiment of the present invention;
  • FIG. 3 is a simplified flowchart illustration of an alternate exemplary method of operation of the system of FIG. 1, operative in accordance with a preferred embodiment of the present invention; and
  • FIG. 4 is a simplified flowchart illustration of a supplemental method of operation of the system of FIG. 1, operative in accordance with a preferred embodiment of the present invention
  • DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS
  • Reference is now made to FIG. 1, which is a simplified conceptual illustration of a system for secure transfer of physical data storage media and use thereof, constructed and operative in accordance with a preferred embodiment of the present invention, and additionally to FIG. 2, which is a simplified flowchart illustration of an exemplary method of operation of the system of FIG. 1, operative in accordance with a preferred embodiment of the present invention. In the system of FIG. 1 and method of FIG. 2, a primary physical data storage medium 100, such as a hard disk of a computer 102, is shown at a first physical location, such as at a primary data operations site. Storage 100 preferably stores data in one or more storage sub-units, such as blocks. A partially or wholly encrypted copy 104 is made of storage 100 by a storage control unit 110 using conventional techniques, where the data stored on storage 100 are read, encrypted, typically at the block level, and written to corresponding blocks in encrypted form to another physical data storage medium. An indicator 106, such as may be represented by an index in a vector of indices, is preferably provided for each block in encrypted copy 104, and is set to indicate whether or not its corresponding block contains encrypted data, such as where indicator 106 is a bit set to a value of one to indicate that the block was encrypted at the time that encrypted copy 104 was prepared, and zero to indicate that the block is not encrypted.
  • Encrypted copy 104, together with its set of indicators 106, is then transported to a second physical location, such as to a secondary data operations site at a location that is remote from the first location. Alternatively, if it is known that encrypted copy 104 is completely encrypted, it may be transported without indicators 106, as each block may be assumed to be encrypted when reading encrypted copy 104. In marked contrast with prior art techniques, where either an encrypted copy must be completely decrypted before the copied data may “go live” and be used in a production environment, or where data is read and decrypted on every access but left encrypted on the medium, in accordance with the present invention encrypted copy 104 is provided for immediate use, such as by a computer 108 in the form of read/write requests by computer 108's operating system and/or applications executed by computer 108, without encrypted copy 104 first being completely decrypted, and without leaving the data permanently encrypted on the medium and decrypting on every access, thereby reducing the number of decryptions required. A storage control unit 112 is preferably provided for receiving read requests for data stored on encrypted copy 104. When storage control unit 112 first receives a read request for data stored at a particular block on encrypted copy 104, storage control unit 112 consults the block's corresponding indicator 106 to determine whether or not the data stored in the specified block is encrypted. If the data is encrypted, storage control unit 112 decrypts the data. The encryption/decryption of a given block is preferably performed as a function of a key, the location of the block on the storage device, and the block content, but is independent of the plaintext/ciphertext on other blocks. In one embodiment, a single key is used for all encrypted blocks on encrypted copy 104. Any suitable encryption/decryption algorithm may be employed, such as those described in IEEE's P1619 family of standards (see http://www.computer.org/computer/homepage/1124/standards/index.htm). Once the data in an encrypted block have been decrypted, the decrypted data may be written to cache and/or back to the block from which data were read. When the data is written back to the block from which it is read, storage control unit 112 then sets the block's corresponding indicator 106 to indicate that the block's data are not encrypted. Subsequent read requests for data stored at the decrypted block may be serviced by storage control unit 112 with the already-decrypted data, as the block's corresponding indicator 106 indicates that the block's data have already been decrypted. Indeed, where a block's data is already in cache, there is no need to consult the block's corresponding indicator 106 at all, as read request may be satisfied directly from cache. Storage control unit 112 may service write operations on a block whose corresponding indicator 106 indicates that the block's data are encrypted by setting indicator 106 to indicate that the block's data are not encrypted, even where no previous read request was received for the block's data that would have resulted in the data's decryption.
  • Reference is now made to FIG. 3, which is a simplified flowchart illustration of an alternate exemplary method of operation of the system of FIG. 1, operative in accordance with a preferred embodiment of the present invention. The method of FIG. 3 is substantially similar to the method of FIG. 2, with the notable exception that instead of transporting encrypted copy 104 to a second physical location, encrypted copy 104 is provided for use by storage control unit 112 at the first physical location. Another notable exception, which may also be applied to the method of FIG. 2, is that the set of indicators 106 need not be prepared by storage control unit 110 and provided to storage control unit 112, but may instead be generated by storage control unit 112, where storage control unit 112 is configured to assume that all the storage sub-units on encrypted copy 104 are encrypted and generate the set of indicators 106 accordingly.
  • The methods of FIGS. 2 and 3 may be further enhanced by storage control unit 112 concurrently running a background process that decrypts encrypted storage sub-units of encrypted copy 104 before read requests are received for their data. Priority may also be given to background decryption of storage sub-units adjoining or located in the vicinity of storage sub-units for which read requests were received, on the assumption that they are more likely to be read than storage sub-units for which read requests were not yet received.
  • Reference is now made to FIG. 4, which is a simplified flowchart illustration of a supplemental method of operation of the system of FIG. 1, operative in accordance with a preferred embodiment of the present invention. The method of FIG. 4 may be used in conjunction with the methods of FIG. 2 or FIG. 3, where different blocks of encrypted copy 104 may be encrypted with different keys. Indicator 106 in FIG. 1 may be represented by a key-descriptor in a vector that is preferably provided for each block in encrypted copy 104. Indicator 106 is preferably set to indicate whether or not its corresponding block contains encrypted data, such as where indicator 106 is set to a non-zero value i, indicating that the block was encrypted with a key Ki, or a zero to indicate that the block is not encrypted.
  • During normal operation, when storage control unit 112 receives a read request for data stored at a particular block on encrypted copy 104, storage control unit 112 consults the block's corresponding indicator 106 to determine whether or not the data stored in the specified block is encrypted, and, if so, which key was used. Storage control unit 112 then decrypts the data if necessary, and may be configured to reencrypt the data with either the key with which the data was last encrypted or with a new key, such as during a key refresh procedure, or to leave the data unencrypted. A background task may optionally be provided which re-encrypts any of the data with a new key, such as during periods of low CPU use and/or no disk access, with the background task running concurrently with any methods described hereinabove.
  • It is appreciated that one more of the steps of any of the methods described herein may be omitted or carried out in a different order than that shown, without departing from the true spirit and scope of the invention.
  • While the methods and apparatus disclosed herein may or may not have been described with reference to specific computer hardware or software, it is appreciated that the methods and apparatus described herein may be readily implemented in computer hardware or software using conventional techniques.
  • While the present invention has been described with reference to one or more specific embodiments, the description is intended to be illustrative of the invention as a whole and is not to be construed as limiting the invention to the embodiments shown. It is appreciated that various modifications may occur to those skilled in the art that, while not specifically shown herein, are nevertheless within the true spirit and scope of the invention.

Claims (29)

  1. 1. A method for use of a physical data storage medium, the method comprising:
    receiving a first read request for data stored in any of a plurality of storage sub-units on a physical data storage medium; and
    decrypting said requested data if an indicator associated with said requested data storage sub-unit indicates that data in said requested storage sub-unit is encrypted.
  2. 2. A method according to claim 1 and further comprising encrypting said data in said plurality of storage sub-units on said physical data storage medium.
  3. 3. A method according to claim 2 wherein said encrypting step comprises encrypting data in a plurality of said storage sub-units with a plurality of keys.
  4. 4. A method according to claim 2 wherein said encrypting step is performed at a first physical location, and wherein said receiving and decrypting steps are performed at a second physical location.
  5. 5. A method according to claim 2 and further comprising setting an indicator for each of said data storage sub-units indicating if data in said data storage sub-unit is encrypted.
  6. 6. A method according to claim 2 and further comprising transporting said encrypted physical data storage medium to a second physical location.
  7. 7. A method according to claim 5 wherein said setting step comprises setting said indicator within a vector having a plurality of indices, where each index corresponds to one of said data storage sub-units on said physical data storage medium.
  8. 8. A method according to claim 1 and further comprising writing said decrypted data to said data storage sub unit and setting said requested data storage sub-unit's indicator to indicate that said data in said requested storage sub-unit are not encrypted.
  9. 9. A method according to claim 8 and further comprising:
    receiving a second read request for said data stored in said data storage sub-unit for which said first read request was previously received; and
    providing said previously-decrypted data responsive to said second read request.
  10. 10. A method according to claim 1 and further comprising reencrypting any of said data with a new key concurrently with performing any of said steps.
  11. 11. A method for use of a physical data storage medium, the method comprising:
    encrypting, at a first physical location, data for storage in a plurality of storage sub-units on a physical data storage medium;
    transporting said encrypted physical data storage medium to a second physical location;
    receiving a first read request for data stored in any of said data storage sub-units on said encrypted physical data storage medium; and
    decrypting said requested data if an indicator associated with said requested data storage sub-unit indicates that data in said requested storage sub-unit is encrypted.
  12. 12. A method according to claim 11 wherein said encrypting step comprises encrypting data in said plurality of said storage sub-units with a plurality of keys.
  13. 13. A method according to claim 11 and further comprising setting an indicator for each of said data storage sub-units indicating if data in said data block is encrypted.
  14. 14. A method according to claim 13 and further comprising transporting said indicators to said second physical location in association with said encrypted physical data storage medium.
  15. 15. A method according to claim 11 wherein said setting step comprises setting said indicator within a vector having a plurality of indices, where each index corresponds to one of said data storage sub-units on said physical data storage medium.
  16. 16. A method according to claim 11 and further comprising setting said requested data storage sub-unit's indicator to indicate that said data in said requested storage sub-unit are not encrypted.
  17. 17. A method according to claim 16 and further comprising:
    receiving a second read request for said data stored in said data storage sub-unit for which said first read request was previously received; and
    providing said previously-decrypted data responsive to said second read request.
  18. 18. A method according to claim 11 and further comprising decrypting any of said data concurrently with performing any of said steps and before read requests are received for said data.
  19. 19. A method according to claim 18 wherein said concurrent decryption step comprises decrypting any of said data in storage sub-units adjoining or located in the vicinity of storage sub-units for which read requests were received.
  20. 20. A method according to claim 11 and further comprising reencrypting any of said data with a new key concurrently with performing any of said steps.
  21. 21. A system for secure use of physical data storage media, the system comprising:
    an at least partially encrypted data storage medium storing data in any of a plurality of storage sub-units;
    a plurality of indicators, each indicator corresponding to one of said storage sub-units and indicating whether data in said storage sub-unit is encrypted; and
    a storage control unit configured to:
    receive read requests for data stored in one of said storage sub-units on said encrypted data storage medium prior to said data storage medium being decrypted,
    consult said block's corresponding indicator to determine whether said requested data is encrypted, and
    decrypt said data if said requested data is encrypted.
  22. 22. A system according to claim 21 wherein said data in at least two of said storage sub-units are encrypted with different keys.
  23. 23. A system according to claim 21 wherein said storage control unit is further configured to write said decrypted data to said data storage sub unit and set said requested data storage sub-unit's indicator to indicate that said data in said requested storage sub-unit are not encrypted.
  24. 24. A system according to claim 23 wherein said storage control unit is further configured to:
    receive a second read request for said data stored in said data storage sub-unit for which said first read request was previously received, and provide said previously-decrypted data responsive to said second read request.
  25. 25. A system according to claim 21 wherein said storage control unit is further configured to reencrypt any of said data with a new key concurrently with performing any of said steps.
  26. 26. A system according to claim 21 wherein said storage control unit is further configured to decrypt any of said data concurrently with performing any of said steps and before read requests are received for said data.
  27. 27. A system according to claim 26 wherein said storage control unit is further configured to decrypt any of said data in storage sub-units adjoining or located in the vicinity of storage sub-units for which read requests were received.
  28. 28. A system according to claim 21 and further comprising reencrypting any of said data with a new key concurrently with performing any of said steps.
  29. 29. A computer-implemented program embodied on a computer-readable medium, the computer program comprising:
    a first code segment operative to receive a first read request for data stored in any of a plurality of storage sub-units on a physical data storage medium; and
    a second code segment operative to decrypt said requested data if an indicator associated with said requested data storage sub-unit indicates that data in said requested storage sub-unit is encrypted.
US11330409 2006-01-10 2006-01-10 Management of encrypted storage media Abandoned US20070168284A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US11330409 US20070168284A1 (en) 2006-01-10 2006-01-10 Management of encrypted storage media

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US11330409 US20070168284A1 (en) 2006-01-10 2006-01-10 Management of encrypted storage media

Publications (1)

Publication Number Publication Date
US20070168284A1 true true US20070168284A1 (en) 2007-07-19

Family

ID=38264406

Family Applications (1)

Application Number Title Priority Date Filing Date
US11330409 Abandoned US20070168284A1 (en) 2006-01-10 2006-01-10 Management of encrypted storage media

Country Status (1)

Country Link
US (1) US20070168284A1 (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150381589A1 (en) * 2014-06-28 2015-12-31 Vmware, Inc. Asynchronous encryption and decryption of virtual machine memory for live migration
US20160070655A1 (en) * 2013-05-30 2016-03-10 Dell Products L.P. System and method for intercept of uefi block i/o protocol services for bios based hard drive encryption support
US9552217B2 (en) 2014-06-28 2017-01-24 Vmware, Inc. Using active/active asynchronous replicated storage for live migration
US9672120B2 (en) 2014-06-28 2017-06-06 Vmware, Inc. Maintaining consistency using reverse replication during live migration
US9760443B2 (en) 2014-06-28 2017-09-12 Vmware, Inc. Using a recovery snapshot during live migration
US9766930B2 (en) 2014-06-28 2017-09-19 Vmware, Inc. Using active/passive asynchronous replicated storage for live migration
US9898320B2 (en) 2014-06-28 2018-02-20 Vmware, Inc. Using a delta query to seed live migration
US9910791B1 (en) * 2015-06-30 2018-03-06 EMC IP Holding Company LLC Managing system-wide encryption keys for data storage systems

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4935825A (en) * 1988-12-16 1990-06-19 Emulex Corporation Cylinder defect management system for data storage system
US5790828A (en) * 1993-04-29 1998-08-04 Southwestern Bell Technology Resources, Inc. Disk meshing and flexible storage mapping with enhanced flexible caching
US5892900A (en) * 1996-08-30 1999-04-06 Intertrust Technologies Corp. Systems and methods for secure transaction management and electronic rights protection
US6462992B2 (en) * 1989-04-13 2002-10-08 Sandisk Corporation Flash EEprom system
US20030091186A1 (en) * 2001-10-12 2003-05-15 Fontijn Wilhelmus Fransiscus Johannes Apparatus and method for reading or writing user data
US20030133574A1 (en) * 2002-01-16 2003-07-17 Sun Microsystems, Inc. Secure CPU and memory management unit with cryptographic extensions
US20030177379A1 (en) * 2002-03-14 2003-09-18 Sanyo Electric Co., Ltd. Storing device allowing arbitrary setting of storage region of classified data
US20040172538A1 (en) * 2002-12-18 2004-09-02 International Business Machines Corporation Information processing with data storage
US20050091491A1 (en) * 2003-10-28 2005-04-28 Dphi Acquisitions, Inc. Block-level storage device with content security
US20060039554A1 (en) * 2004-08-18 2006-02-23 Roxio, Inc. High security media encryption
US20070101134A1 (en) * 2005-10-31 2007-05-03 Cisco Technology, Inc. Method and apparatus for performing encryption of data at rest at a port of a network device
US7360057B2 (en) * 2005-03-22 2008-04-15 Seagate Technology, Llc Encryption of data in a range of logical block addresses

Patent Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4935825A (en) * 1988-12-16 1990-06-19 Emulex Corporation Cylinder defect management system for data storage system
US6462992B2 (en) * 1989-04-13 2002-10-08 Sandisk Corporation Flash EEprom system
US5790828A (en) * 1993-04-29 1998-08-04 Southwestern Bell Technology Resources, Inc. Disk meshing and flexible storage mapping with enhanced flexible caching
US5892900A (en) * 1996-08-30 1999-04-06 Intertrust Technologies Corp. Systems and methods for secure transaction management and electronic rights protection
US20030091186A1 (en) * 2001-10-12 2003-05-15 Fontijn Wilhelmus Fransiscus Johannes Apparatus and method for reading or writing user data
US7328352B2 (en) * 2001-10-12 2008-02-05 Koninklijke Philips Electronics N.V. Apparatus and method for reading or writing user data
US7107459B2 (en) * 2002-01-16 2006-09-12 Sun Microsystems, Inc. Secure CPU and memory management unit with cryptographic extensions
US20030133574A1 (en) * 2002-01-16 2003-07-17 Sun Microsystems, Inc. Secure CPU and memory management unit with cryptographic extensions
US20030177379A1 (en) * 2002-03-14 2003-09-18 Sanyo Electric Co., Ltd. Storing device allowing arbitrary setting of storage region of classified data
US20040172538A1 (en) * 2002-12-18 2004-09-02 International Business Machines Corporation Information processing with data storage
US20050091491A1 (en) * 2003-10-28 2005-04-28 Dphi Acquisitions, Inc. Block-level storage device with content security
US20060039554A1 (en) * 2004-08-18 2006-02-23 Roxio, Inc. High security media encryption
US7360057B2 (en) * 2005-03-22 2008-04-15 Seagate Technology, Llc Encryption of data in a range of logical block addresses
US20070101134A1 (en) * 2005-10-31 2007-05-03 Cisco Technology, Inc. Method and apparatus for performing encryption of data at rest at a port of a network device

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160070655A1 (en) * 2013-05-30 2016-03-10 Dell Products L.P. System and method for intercept of uefi block i/o protocol services for bios based hard drive encryption support
US9589156B2 (en) * 2013-05-30 2017-03-07 Dell Products, L.P. System and method for intercept of UEFI block I/O protocol services for bios based hard drive encryption support
US20150381589A1 (en) * 2014-06-28 2015-12-31 Vmware, Inc. Asynchronous encryption and decryption of virtual machine memory for live migration
US9552217B2 (en) 2014-06-28 2017-01-24 Vmware, Inc. Using active/active asynchronous replicated storage for live migration
US9588796B2 (en) 2014-06-28 2017-03-07 Vmware, Inc. Live migration with pre-opened shared disks
US9626212B2 (en) 2014-06-28 2017-04-18 Vmware, Inc. Live migration of virtual machines with memory state sharing
US9672120B2 (en) 2014-06-28 2017-06-06 Vmware, Inc. Maintaining consistency using reverse replication during live migration
US9760443B2 (en) 2014-06-28 2017-09-12 Vmware, Inc. Using a recovery snapshot during live migration
US9766930B2 (en) 2014-06-28 2017-09-19 Vmware, Inc. Using active/passive asynchronous replicated storage for live migration
US9898320B2 (en) 2014-06-28 2018-02-20 Vmware, Inc. Using a delta query to seed live migration
US9910791B1 (en) * 2015-06-30 2018-03-06 EMC IP Holding Company LLC Managing system-wide encryption keys for data storage systems

Similar Documents

Publication Publication Date Title
US6993661B1 (en) System and method that provides for the efficient and effective sanitizing of disk storage units and the like
US7170999B1 (en) Method of and apparatus for encrypting and transferring files
US20030105967A1 (en) Apparatus for encrypting data and method thereof
US20020073326A1 (en) Protect by data chunk address as encryption key
US20050204154A1 (en) Method and apparatus for cryptographic conversion in a data storage system
US20070195957A1 (en) Method and Apparatus for Secure Key Management and Protection
US7792300B1 (en) Method and apparatus for re-encrypting data in a transaction-based secure storage system
US20060095793A1 (en) Secure memory control parameters in table look aside buffer data fields and support memory array
US20070113104A1 (en) System and method for data encryption keys and indicators
US7240197B1 (en) Method and apparatus for encryption and decryption in remote data storage systems
US20070058801A1 (en) Managing the encryption of data
US20090031128A1 (en) Transparent aware data transformation at file system level for efficient encryption and integrity validation of network files
US20080247540A1 (en) Method and apparatus for protecting digital contents stored in usb mass storage device
US20040172538A1 (en) Information processing with data storage
US20080104417A1 (en) System and method for file encryption and decryption
US20100306635A1 (en) Method for Verifying Correct Encryption Key Utilization
US20080232592A1 (en) Method and apparatus for performing selective encryption/decryption in a data storage system
US20120057696A1 (en) Multi-key cryptography for encrypting file system acceleration
US7526451B2 (en) Method of transferring digital rights
US20070174634A1 (en) System and/or method for encrypting data
US20100008499A1 (en) Method and apparatus for generating random data-encryption keys
US20100232604A1 (en) Controlling access to content using multiple encryptions
US8621240B1 (en) User-specific hash authentication
US20080159526A1 (en) Architecture and instruction set for implementing advanced encryption standard (AES)
US20110191595A1 (en) Encryption key rotation messages written and observed by storage controllers via storage media

Legal Events

Date Code Title Description
AS Assignment

Owner name: INTERNATIONAL BUSINESS MACHINES CORPORATION, NEW Y

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:FACTOR, MICHAEL E;NAOR, DALIT;WOLMAN, ADAM;AND OTHERS;REEL/FRAME:017066/0601;SIGNING DATES FROM 20060104 TO 20060110